Large keys

When generating a new key pair, you have to choose how large the private key should be.

As of October 2014, GnuPG's default is to use 2048 bit RSA keys. This recommendation will serve most users best. Please also refer to the FAQs on keysize.

There is an ongoing debate on the gnupg-users mailing list about what the future default length should be and what sizes should be supported.

Note that the principle author of GnuPG, Werner Koch recommends to not use private keys larger than 4 KiB. He believes 8 KiB to be a practical upper limit that GnuPG should technically support. See, for instance, his statement in Debian Issue739424. Since version 2.0.27 and 1.4.19 GnuPG can be compiled with --enable-large-secmem to offer a --enable-large-rsa option that can create keys up to 8 KiB. Some elder versions supported creating of keys up to 16 KiB.

The main arguments (TODO) are:

• GnuPG needs to ensure (somewhat) secure memory, because of DDoS attacks there must be a limit on supported keysizes.
• With larger private keysizes there are drawbacks in performance, especially on small systems (such as, a drained battery). This lead to a less usable and thus also slightly less secure system (through the "threat" that crypto is less often used because of the inconvenience of time and battery it takes to use it).
• While larger keys may provide some more security against breaking the RSA encryption math, it can only be estimated how much extra security more bits provide. As most mathematical threats do not come by brute force, it is unclear how much more protection very large keys can provide.
• Sending side of communication: There are OpenPGP implementations that only encrypt or sign up to a certain upper limit (e.g. OpenPGP cards are known to go to 3 KiB or 4 KiB in some versions. GnuPG 1.4.18 cannot use >= 5KiB keys anymore).
• Receiving side of communication: There may be OpenPGP implementations that only decrypt or verify up to a certain upper limit of key size.
• With keysizes larger than 2 KiB today (October 2014), it is extremely likely that there are many other weaker spots in your security. If you care about security, it is rational to deal with these weaknesses first before you consider raising the key sizes. The weaker spots are likely to be vulnerabilities in your computing environment, in the implementation of OpenPGP you are using and in your procedures to verify certificates.